Description

REVOKE command revokes previously granted privileges
from one or more roles. The key word PUBLIC refers to
the implicitly defined group of all roles.

See the description of the GRANT command for the meaning of the privilege types.

Note that any particular role will have the sum of privileges granted
directly to it, privileges granted to any role it is presently a member
of, and privileges granted to PUBLIC. Thus, for example,
revoking SELECT privilege from PUBLIC
does not necessarily mean that all roles have lost SELECT
privilege on the object: those who have it granted directly or via another
role will still have it.

If GRANT OPTION FOR is specified, only the grant
option for the privilege is revoked, not the privilege itself. Otherwise,
both the privilege and the grant option are revoked.

If a role holds a privilege with grant option and has granted it to
other roles then the privileges held by those other roles are called
dependent privileges. If the privilege or the grant option held by the
first role is being revoked and dependent privileges exist, those dependent
privileges are also revoked if CASCADE is specified,
else the revoke action will fail. This recursive revocation only affects
privileges that were granted through a chain of roles that is traceable
to the role that is the subject of this REVOKE command.
Thus, the affected roles may effectively keep the privilege if it was
also granted through other roles.

When revoking membership in a role, GRANT OPTION
is instead called ADMIN OPTION, but the behavior is
similar.